@incollection{icml2020_5160,
abstract = {We show new connections between adversarial learning and explainability for deep neural networks (DNNs). One form of explanation of the output of a neural network model in terms of its input features, is a vector of feature-attributions, which can be generated by various techniques such as Integrated Gradients (IG), DeepSHAP, LIME, and CXPlain. Two desirable characteristics of an attribution-based explanation are: (1) \textbackslash textit\lbrace sparseness\rbrace : the attributions of irrelevant or weakly relevant features should be negligible, thus resulting in \textbackslash textit\lbrace concise\rbrace explanations in terms of the significant features, and (2) \textbackslash textit\lbrace stability\rbrace : it should not vary significantly within a small local neighborhood of the input. Our first contribution is a theoretical exploration of how these two properties (when using IG-based attributions) are related to adversarial training, for a class of 1-layer networks (which includes logistic regression models for binary and multi-class classification); for these networks we show that (a) adversarial training using an \textdollar \textbackslash ell\_\textbackslash infty\textdollar -bounded adversary produces models with sparse attribution vectors, and (b) natural model-training while encouraging stable explanations (via an extra term in the loss function), is equivalent to adversarial training. Our second contribution is an empirical verification of phenomenon (a), which we show, somewhat surprisingly, occurs \textbackslash textit\lbrace not only in 1-layer networks, but also DNNs trained on standard image datasets\rbrace , and extends beyond IG-based attributions, to those based on DeepSHAP: adversarial training with \textdollar \textbackslash linf\textdollar -bounded perturbations yields significantly sparser attribution vectors, with little degradation in performance on natural test data, compared to natural training. Moreover, the sparseness of the attribution vectors is significantly better than that achievable via \textdollar \textbackslash ell\_1\textdollar -regularized natural training.
},
author = {Chalasani, Prasad and Chen, Jiefeng and Roy Chowdhury, Amrita and Wu, Xi and Jha, Somesh},
booktitle = {Proceedings of Machine Learning and Systems 2020},
pages = {9052--9062},
title = {Concise Explanations of Neural Networks using Adversarial Training},
year = {2020}
}